A privacy flaw in the O2 4G Calling service exposed customer location data for several months. The issue affected millions and made it easy to track users through mobile network responses.
The problem came from O2’s use of the IMS (IP Multimedia Subsystem) standard. This technology powers Voice over LTE (VoLTE), which lets users make calls and send texts over 4G networks. It promises faster, higher-quality connections than older 2G or 3G networks.
However, when UK network enthusiast Daniel Williams tested O2’s new service, he found something alarming. His phone was receiving messages from the network that revealed sensitive user data. These messages included unique identifiers like IMSI and IMEI numbers, as well as cell information and the recipient’s location area code.
Using this data, someone could match location codes with public crowd-sourced cell tower databases. In cities, where towers cover small areas, this could pinpoint a user’s location to within 100 square meters. Williams even demonstrated the method on a friend roaming in Copenhagen, showing he could track them to the city center.
What’s more concerning? No special tools were needed. Williams relied on his phone and basic mobile networking knowledge. He noted that disabling 4G Calling didn’t stop the data from being shared. That means all O2 customers using IMS-based calls were at risk.
“This vulnerability made it easy to locate O2 users. Even someone with limited technical skills could do it. And there was no way for customers to block it themselves,” Williams explained.
The exposure began when O2 launched 4G Calling in March. The flaw remained active until recently. O2 has since confirmed that a fix is now in place.
“Our engineering teams worked on a fix for several weeks. It’s fully implemented now. Customers don’t need to take any action,” said a spokesperson from O2 and Virgin Media.
While the issue is resolved, the incident raises broader concerns. As mobile networks rely more on data-based voice services, strong security and privacy measures must be in place from day one.
